Resolves: rhbz#1445680 - Properly fall back to local Smartcard authentication

Resolves: rhbz#1437199 - sssd-nfs-idmap-1.15.2-1.fc25.x86_64 conflicts with
                           file from package sssd-common-1.15.1-1.fc25.x86_64
Resolves: rhbz#1063278 - sss_ssh_knownhostsproxy doesn't fall back to ipv4
This commit is contained in:
Lukas Slebodnik 2017-04-29 23:56:40 +02:00
parent eecc431e93
commit 9c949c17eb
5 changed files with 272 additions and 3 deletions

View File

@ -0,0 +1,60 @@
From 1c551b1373799643f3e9ba4f696d21b8fc57dafd Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 16 Mar 2017 20:43:08 +0100
Subject: [PATCH] krb5: return to responder that pkinit is not available
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If pkinit is not available for a user but other authentication methods
are SSSD should still fall back to local certificate based
authentication if Smartcard credentials are provided.
Resolves https://pagure.io/SSSD/sssd/issue/3343
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
---
src/providers/krb5/krb5_child.c | 17 +++++++++++++----
1 file changed, 13 insertions(+), 4 deletions(-)
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index 777a25f2a0ea434dde12d2396f6a35c2a1b86cd0..a4128dda6b0861a95dba223047d66c4158b1afb6 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -42,6 +42,10 @@
#define SSSD_KRB5_CHANGEPW_PRINCIPAL "kadmin/changepw"
+#define IS_SC_AUTHTOK(tok) ( \
+ sss_authtok_get_type((tok)) == SSS_AUTHTOK_TYPE_SC_PIN \
+ || sss_authtok_get_type((tok)) == SSS_AUTHTOK_TYPE_SC_KEYPAD)
+
enum k5c_fast_opt {
K5C_FAST_NEVER,
K5C_FAST_TRY,
@@ -1529,12 +1533,17 @@ static krb5_error_code get_and_save_tgt(struct krb5_req *kr,
* pre-auth module is missing or no Smartcard is inserted and only
* pkinit is available KRB5_PREAUTH_FAILED is returned.
* ERR_NO_AUTH_METHOD_AVAILABLE is used to indicate to the
- * frontend that local authentication might be tried. */
+ * frontend that local authentication might be tried.
+ * Same is true if Smartcard credentials are given but only other
+ * authentication methods are available. */
if (kr->pd->cmd == SSS_PAM_AUTHENTICATE
&& kerr == KRB5_PREAUTH_FAILED
- && kr->password_prompting == false
- && kr->otp == false
- && kr->pkinit_prompting == false) {
+ && kr->pkinit_prompting == false
+ && (( kr->password_prompting == false
+ && kr->otp == false)
+ || ((kr->otp == true
+ || kr->password_prompting == true)
+ && IS_SC_AUTHTOK(kr->pd->authtok))) ) {
return ERR_NO_AUTH_METHOD_AVAILABLE;
}
return kerr;
--
2.12.2

View File

@ -0,0 +1,51 @@
From 08084b1179bb9fc38bc22b464b3d44907107bfd3 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Tue, 25 Apr 2017 12:39:32 +0000
Subject: [PATCH 4/6] ssh tools: The ai structure is not an array,
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This structure is actually a linked list, so do not mislead readers by
treating it as an array.
Resolves:
https://pagure.io/SSSD/sssd/issue/1498
Merges: https://pagure.io/SSSD/sssd/pull-request/3383
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
---
src/sss_client/ssh/sss_ssh_knownhostsproxy.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c
index adb82288d435cefccf7e23e6ed2b2c551798a7f8..310243c2fc8091f711559d4afb412e619af687ad 100644
--- a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c
+++ b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c
@@ -268,10 +268,10 @@ int main(int argc, const char **argv)
DEBUG(SSSDBG_OP_FAILURE,
"getaddrinfo() failed (%d): %s\n", ret, gai_strerror(ret));
} else {
- host = ai[0].ai_canonname;
+ host = ai->ai_canonname;
}
} else {
- ret = getnameinfo(ai[0].ai_addr, ai[0].ai_addrlen,
+ ret = getnameinfo(ai->ai_addr, ai->ai_addrlen,
canonhost, NI_MAXHOST, NULL, 0, NI_NAMEREQD);
if (ret) {
DEBUG(SSSDBG_OP_FAILURE,
@@ -295,7 +295,7 @@ int main(int argc, const char **argv)
if (pc_args) {
ret = connect_proxy_command(discard_const(pc_args));
} else if (ai) {
- ret = connect_socket(ai[0].ai_family, ai[0].ai_addr, ai[0].ai_addrlen);
+ ret = connect_socket(ai->ai_family, ai->ai_addr, ai->ai_addrlen);
} else {
ret = EFAULT;
}
--
2.12.2

View File

@ -0,0 +1,46 @@
From 5f6232c7e6d9635c1d6b6b09f799309b6094b143 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Tue, 25 Apr 2017 14:00:15 +0000
Subject: [PATCH 5/6] ssh tools: Fix issues with multiple IP addresses
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cycle through all resolved address until one succeed or all fail.
This is needed for dual stack systems where either IPv4 or IPv6 are
improperly configured or selectively filtered at some point along the
route.
Resolves:
https://pagure.io/SSSD/sssd/issue/1498
Merges: https://pagure.io/SSSD/sssd/pull-request/3383
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
---
src/sss_client/ssh/sss_ssh_knownhostsproxy.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c
index 310243c2fc8091f711559d4afb412e619af687ad..b7b0c3bb66226be1c6453332a0b3af9fdf4e5a29 100644
--- a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c
+++ b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c
@@ -295,7 +295,13 @@ int main(int argc, const char **argv)
if (pc_args) {
ret = connect_proxy_command(discard_const(pc_args));
} else if (ai) {
- ret = connect_socket(ai->ai_family, ai->ai_addr, ai->ai_addrlen);
+ /* Try all IP addresses before giving up */
+ for (struct addrinfo *ti = ai; ti != NULL; ti = ti->ai_next) {
+ ret = connect_socket(ti->ai_family, ti->ai_addr, ti->ai_addrlen);
+ if (ret == 0) {
+ break;
+ }
+ }
} else {
ret = EFAULT;
}
--
2.12.2

View File

@ -0,0 +1,95 @@
From 244adc327f7e29ba2c7ef60bc9f732d8fe3e68c9 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Tue, 25 Apr 2017 19:19:13 +0000
Subject: [PATCH 6/6] ssh tools: Split connect and communication phases
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
We can fallback after a connect error, but we cannot easily fall back
once we start sending data as we may have consumed part of the buffer so
reconnecting and sending what's left would not make sense.
Therefore we now fallback on connect errors, but we issue a hard fail if
error happens after communication has been established.
Resolves:
https://pagure.io/SSSD/sssd/issue/1498
Merges: https://pagure.io/SSSD/sssd/pull-request/3383
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
---
src/sss_client/ssh/sss_ssh_knownhostsproxy.c | 30 ++++++++++++++++++++--------
1 file changed, 22 insertions(+), 8 deletions(-)
diff --git a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c
index b7b0c3bb66226be1c6453332a0b3af9fdf4e5a29..976ba86b321923cecad0703214e22b0a773ef585 100644
--- a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c
+++ b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c
@@ -40,14 +40,10 @@
/* connect to server using socket */
static int
-connect_socket(int family, struct sockaddr *addr, size_t addr_len)
+connect_socket(int family, struct sockaddr *addr, size_t addr_len, int *sd)
{
int flags;
int sock = -1;
- struct pollfd fds[2];
- char buffer[BUFFER_SIZE];
- int i;
- ssize_t res;
int ret;
/* set O_NONBLOCK on standard input */
@@ -85,6 +81,22 @@ connect_socket(int family, struct sockaddr *addr, size_t addr_len)
goto done;
}
+ *sd = sock;
+
+done:
+ if (ret != 0 && sock >= 0) close(sock);
+ return ret;
+}
+
+static int proxy_data(int sock)
+{
+ int flags;
+ struct pollfd fds[2];
+ char buffer[BUFFER_SIZE];
+ int i;
+ ssize_t res;
+ int ret;
+
/* set O_NONBLOCK on the socket */
flags = fcntl(sock, F_GETFL);
if (flags == -1) {
@@ -158,8 +170,7 @@ connect_socket(int family, struct sockaddr *addr, size_t addr_len)
}
done:
- if (sock >= 0) close(sock);
-
+ close(sock);
return ret;
}
@@ -297,8 +308,11 @@ int main(int argc, const char **argv)
} else if (ai) {
/* Try all IP addresses before giving up */
for (struct addrinfo *ti = ai; ti != NULL; ti = ti->ai_next) {
- ret = connect_socket(ti->ai_family, ti->ai_addr, ti->ai_addrlen);
+ int socket_descriptor = -1;
+ ret = connect_socket(ti->ai_family, ti->ai_addr, ti->ai_addrlen,
+ &socket_descriptor);
if (ret == 0) {
+ ret = proxy_data(socket_descriptor);
break;
}
}
--
2.12.2

View File

@ -30,7 +30,7 @@
Name: sssd
Version: 1.15.2
Release: 2%{?dist}
Release: 3%{?dist}
Group: Applications/System
Summary: System Security Services Daemon
License: GPLv3+
@ -40,7 +40,11 @@ BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
### Patches ###
Patch0001: 0001-responders-do-not-leak-selinux-context-on-clients-de.patch
patch0002: 0002-selinux-Do-not-fail-if-SELinux-is-not-managed.patch
Patch0002: 0002-selinux-Do-not-fail-if-SELinux-is-not-managed.patch
Patch0003: 0003-krb5-return-to-responder-that-pkinit-is-not-availabl.patch
Patch0004: 0004-ssh-tools-The-ai-structure-is-not-an-array.patch
Patch0005: 0005-ssh-tools-Fix-issues-with-multiple-IP-addresses.patch
Patch0006: 0006-ssh-tools-Split-connect-and-communication-phases.patch
Patch0502: 0502-SYSTEMD-Use-capabilities.patch
@ -176,6 +180,7 @@ Group: Development/Libraries
License: LGPLv3+
Requires(post): /sbin/ldconfig
Requires(postun): /sbin/ldconfig
Conflicts: sssd-common < %{version}-%{release}
%description -n libsss_sudo
A utility library to allow communication between SUDO and SSSD
@ -184,6 +189,7 @@ A utility library to allow communication between SUDO and SSSD
Summary: A library to allow communication between Autofs and SSSD
Group: Development/Libraries
License: LGPLv3+
Conflicts: sssd-common < %{version}-%{release}
%description -n libsss_autofs
A utility library to allow communication between Autofs and SSSD
@ -505,6 +511,7 @@ Summary: The SSSD libwbclient implementation
Group: Applications/System
License: GPLv3+ and LGPLv3+
Conflicts: libwbclient < 4.2.0-0.2.rc2
Conflicts: sssd-common < %{version}-%{release}
%description libwbclient
The SSSD libwbclient implementation.
@ -523,6 +530,7 @@ Development libraries for the SSSD libwbclient implementation.
Summary: SSSD's idmap_sss Backend for Winbind
Group: Applications/System
License: GPLv3+ and LGPLv3+
Conflicts: sssd-common < %{version}-%{release}
%description winbind-idmap
The idmap_sss module provides a way for Winbind to call SSSD to map UIDs/GIDs
@ -532,6 +540,7 @@ and SIDs.
Summary: SSSD plug-in for NFSv4 rpc.idmapd
Group: Applications/System
License: GPLv3+
Conflicts: sssd-common < %{version}-%{release}
%description nfs-idmap
The libnfsidmap sssd module provides a way for rpc.idmapd to call SSSD to map
@ -1073,7 +1082,6 @@ done
%systemd_preun sssd-sudo.socket
%postun common
%systemd_postun_with_restart sssd.service
%systemd_postun_with_restart sssd-autofs.socket
%systemd_postun_with_restart sssd-autofs.service
%systemd_postun_with_restart sssd-nss.socket
@ -1134,6 +1142,9 @@ fi
%postun -n libsss_simpleifp -p /sbin/ldconfig
%posttrans common
%systemd_postun_with_restart sssd.service
%posttrans libwbclient
%{_sbindir}/update-alternatives \
--install %{_libdir}/libwbclient.so.%{libwbc_alternatives_version} \
@ -1158,6 +1169,12 @@ fi
%{_libdir}/%{name}/modules/libwbclient.so
%changelog
* Sat Apr 29 2017 Lukas Slebodnik <lslebodn@redhat.com> - 1.15.2-3
- Resolves: rhbz#1445680 - Properly fall back to local Smartcard authentication
- Resolves: rhbz#1437199 - sssd-nfs-idmap-1.15.2-1.fc25.x86_64 conflicts with
file from package sssd-common-1.15.1-1.fc25.x86_64
- Resolves: rhbz#1063278 - sss_ssh_knownhostsproxy doesn't fall back to ipv4
* Thu Apr 06 2017 Lukas Slebodnik <lslebodn@redhat.com> - 1.15.2-2
- Backport few upstrem fixes from master
- Resolves: upstream#3297 Fix issue with IPA + SELinux in containers